Nov. 20, 2018 | by David Jones

With Black Friday and Cyber Monday set to kick off within days, retailers and payment experts are increasingly concerned about the heightened threats to e-commerce sites and the potential impact that is having on mobile shopping.

A study from the National Retail Federation and Forrester found that payment card fraud remains the top concern of retailers, as cyber attackers have moved away from in-store fraud to online following the implementation of EMV chips on credit and debit cards. About 55 percent of retailers said they were concerned about the rise of payment card fraud and the implementation of EMV chips has moved a large number of attacks to e-commerce sites.

"The chip in an EMV card makes it difficult to counterfeit the card, but it does nothing to show whether the person trying to use the card is a legitimate cardholder," Stephanie Martz, senior vice president and general counsel at NRF said in the study announcement.

In addition, a new report from Juniper Research found that annual online fraud payment losses involving e-commerce, airline ticketing, money transfer and banking could more than double to $48 billion in 2023, up from the estimated $22 billion in losses projected for this year.

Threat actors

In August, three Ukrainian nationals, alleged to be members of a notorious cybergang known as Fin7, were arrested on federal charges that they stole millions of credit and debit cards in a massive malware campaign, dating back to 2015, which targeted more than 100 U.S. companies. In the U.S. alone, prosecutors said the group stole more than 15 million credit card records from 6,500 point-of-sale terminals, mainly in the restaurant, gaming and hospitality industries.

According to the indictments, the hackers sent emails with attachments to business employees and in some cases followed up with phone calls to make the emails seem legitimate. Once they were opened, the attackers used a version the Carbanak malware to infect the user's device and steal their payment data and resold that information on the Dark Web.

Another major actor uncovered this year was Magecart, which operated by skimming credit card information from vulnerable e-commerce sites, according to a joint research report from Risk IQ and Flashpoint. Magecart, which analysts said was comprised of a series of cyber attack teams, has targeted such high-profile names as Ticketmaster, British Airways and Newegg, according to the report.

And Check Point Software Technologies last month released its monthly Global Threat Index report revealing a nearly four-fold increase in cryptomining malware attacks against Apple's iPhone. The attacks used the Coinhive mining malware, which involved the use of javascript to search for online Monero cryptocurrency and essentially hijacked the resources of the device.

Researchers also found a sharp increase in attacks against devices using the Safari browser, the main web browser used in Apple devices.

Maya Horowitz, threat intelligence group manager at Check Point, said in that announcement that "attacks such as these are a reminder that mobile devices are an often overlooked element of an organization's attack surface, so its critical that these devices are protected with a comprehensive threat solution, to stop them from being a weak point in corporate security defenses."

Mobile protection

Considering that mobile devices now account for more than half of the global URL requests and that more than half of all personal and business email is first opened on a mobile device, mobile transactions can be vulnerable to all types of threats, said Brian Duckering, mobile security specialist at Symantec Corp., the firm behind the widely used Norton antivirus and malware protection products. Earlier this month, it acquired a startup called Appthority, as a move to help bolster the firm's ability to monitor threats against mobile apps that work in the Android and iOS environment.

Those risks include "network attacks where a hacker could observer unencrypted traffic and credentials, apps that could be a malicious copy of a legitimate app — or maybe use poorly implemented security measures," he told MPT via email. 

The New York State Attorney General's office warned in an announcement today that shoppers should avoid any financial transactions through an open, unsecured Wi-Fi connection, as hackers often stake out those type of locations. Consumers should make sure to only shop using a site with the https:// instead of http://, because the former is a secure SSL internet protocol.

They also warned that hackers use variants of known sites to lure consumers into entering their payment information and often target users through social media or email to use these fake sites.

Ron Teicher, chief executive of EverComplaint, said holiday shopping season is also ripe for a phenomenon called transaction laundering, where a merchant account is used to process the transactions of another merchant.

"In addition to being a violation of network rules, transaction laundering is often intended to hide the activity of the undeclared merchant specifically because that merchant would not otherwise be able to get a merchant account and process payments," Teicher said via email.

The reasons why this technique is used could involve anything from the sale of illegal goods to hide transactions involving sanctioned individuals or outright fraud, he said.

EverCompliant has identified more than 1 million sites that were apparently involved in illegal activity, he said, however, the primary victims in these instances were the financial institutions and the payment processors, who were not aware of the nature of the transactions.

Photo: iStock

Topics: Mobile Apps, Retail, Security

Companies: Symantec

David Jones

David Jones is a veteran business and technology journalist, with three decades of experience writing about business travel, real estate and technology.

Since 2015 he covered a range of technology stories for the ECT News Network, which includes the E-Commerce Times, TechNewsWorld, LinuxInsider and CRM Buyer, writing about cybersecurity, artificial intelligence, machine learning, open source computing and privacy issues among others,. He recently covered FinTech issues for PYMNTS.com.

He worked as a staff writer for Bloomberg Business News and an online reporter for Crain’s New York Business. He has written for numerous media organizations, including Reuters, The New York Times, The Real Deal, Continental, City Limits and The Nation.

He was previously awarded the George Washington Williams Fellowship for Journalists of Color by the Independent Press Association.

Related Content

Latest Content

Nov. 20, 2018

7-Eleven Inc. is partnering with cross-border payment firm Citcon to start accepting Chinese mobile payment platforms WeChat Pay and Alipay at 35 Canadian locations in Vancouver and Toronto, according to a company press release.

Citcon specializes in helping U.S. merchants integrate WeChat Pay and Alipay into their platforms.

The agreement makes 7-Eleven, the world’s largest convenience store chain with 67,000 locations, the first to accept mobile payments from WeChat Pay and Alipay in Canada, according to the release. Future plans include expanding to other parts of the country over the next few months.

Alipay, which is operated by Ant Financial Services Group, operates in 40 countries around the world, works with more than 250 financial institutions and supports 27 currencies, according to the release.

Earlier this month, 7-Eleven announced plans for a pilot program to test Scan & Pay technology at 14 Dallas-area stores in the U.S. The technology allows customers to skip the cashier line and check out remotely as long as they are inside or just outside the store.

Topics: Mobile Apps, Mobile/Digital Wallet, Retail

Companies: 7-Eleven, WeChat Pay, Alipay

Related Content

Latest Content

Nov. 20, 2018

Wonolo Inc., a San Francisco-based temporary staffing platform that pays workers through an app, said it raised $32 million in Series C financing led by Bain Capital Ventures, bringing the total funds raised by the firm to $60 million. The round also included investments from first-time investor Dag Ventures as well as existing funders, including Sequoia Capital, Base10, AMN Healthcare and Cendana.

The firm uses a mobile app to help companies fill on demand hourly jobs with unemployed or underemployed workers looking to find a position. The Wonolo platform connects the company and the worker through the platform and the entire onboarding process can be completed in minutes, according to a company spokesperson.

The company posts the scope of the job and the exact hours and how much the worker will earn, according to the spokesperson. Wonolo charges a fee to the employer, so for example if a job is paying $100 for a certain amount of work, an employer would see a charge for example of $145, with the excess amount going to Wonolo. Workers are paid quickly through the app in days, rather than waiting for the following pay period, the spokesperson said.

In April, the company raised $13 million in a Series B round led by Sequoia Capital.

.

Topics: Financial News, In-App Payments

Companies: Wonolo Inc.

Related Content

Latest Content

Nov. 19, 2018

The Securities and Exchange Commission said it settled charges with Carrier EQ Inc.(Airfox) and Paragon Coin Inc., alleging that they sold tokens in initial coin offerings without proper registration, according to a release from the agency.

Boston-based Airfox raised about $15 million in digital assets for a token-denominated ecosystem that would let users in emerging markets earn currency in exchange for them viewing advertising, according to the SEC. By October 2017, Airfox had sold 1.06 billion tokens to about 2,500 investors, according to the SEC order. 

Paragon raised $12 million from about 8,323 investors for its plan to develop a plan to use blockchain technology in the cannabis industry, according the SEC.

The agency said that neither firm registered their ICO under federal securities law, nor did they qualify for an exemption. Both firms agreed to return funds to harmed investors, register their tokens as securities, pay a penalty and file periodic reports with the SEC, according to the release.

Each company was fined $250,000, according to the SEC, however an SEC spokesman said the exact restitution amount was not specified in the announcement.

“We have made it clear that companies that issue securities through ICO’s are required to comply with existing statutes and rules governing the registration of securities,” said Stephanie Avakian, co-director of the SEC's enforcement division, in the release.

She said these cases are an indication that the agency will be on the lookout for future violators.

The action is the first time the SEC imposed such penalties in an ICO case, the agency said in the announcement. 

In December 2017, the SEC imposed a cease-and-desist order on Munchee Inc., but did not impose a fine. That firm, which sought $15 million in an ICO, consented to the order without admitting or denying guilt, and repaid investors, according to SEC documents.

Jessica VerSteeg, chief executive of Paragon, said the company has been working more than a year on the agreement and said it will “effectively put an end to the uncertainties of the legal status of our PRG tokens,” in a company release.

She said the company has entered agreements with many cannabis companies, including Dreamfields, Fundanna, Flux, Oakland Distribution, Pearl Pharma and Mammoth Labs, in a release. She added that the company has launched Phase I of its mobile app, which will allow for a Paragon Space member portal and the PRG wallet.

Airfox CEO Victor Santos said in a release that the company was pleased with the settlements with the SEC and the Massachusetts Securities Division. With the agreements, he said the company is “removing uncertainty and positioning Airfox to grow our blockchain platform within a regulatory framework.”

Topics: Bitcoin, Mobile Apps, Regulatory Issues

Companies: Airfox, Paragon Coin

Related Content

Latest Content